Evading Anti-Virus Detection using Encoders in Metasploit.

Last tutorial we create a payload and exploit a system and gained access but remember that we don’t use Antivirus Engine on the target system. In real hacking its rare to get a target system without having Antivirus.

During the exploitation phase of a pen test or ethical hacking engagement, you will ultimately need to try to cause code to run on target system computers. Whether accomplished by phishing emails, delivering a payload through an exploit, or social engineering, running code on target computers is part of most penetration tests.

That means that you will need to be able to bypass antivirus software or other host-based protection for successful exploitation. The most effective way to avoid antivirus detection on your target’s computers is to create your own customized backdoor

One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

You can use msfencode -h to see a list of msfencode usage options. Of the msfencode options, the encoder formats are among the most important.

#msfencode -h

For a list of encoder formats, we use msfencode -l, as shown next. Notice that different encoders are used for different platforms, because, For example, a PowerPC (PPC) encoder will not operate correctly on an x86 platform because of differences in the two architectures.

We add the R flag at to the msfpayload command line to specify raw output, because we will pipe its output directly into msfencode. We specify the x86/shikata_ga_nai encoder at and tell msfencode to send the executable output -t exe to /home/sathish/setup.exe.

Finally, we run a quick check at to ensure that the resulting file is in fact a Windows executable. The response tells us that it is. Unfortunately, after the setup.exe file is copied over to the Windows system or I used online malware signature detectors. Almost all Antivirus detects our encoded payload.

Here we use 3 counts at of shikata_ga_nai, feeding the code in raw format at into 2 counts of alpha_upper encoding at , which is then fed to another 3 counts of shikata_ga_nai ,followed by 3 counts of countdown encoding at , before finally directing the output into the desired executable. We are using a total of 11 encoding loops in an attempt to circumvent the antivirus software.

And again i tested by payload with the Antivirus signatures in online , we have successfully slipped our payload past the almost all antivirus engine.

One more thing to remember that you want to use your backdoor for more than one project, do not submit it to virustotal.com or any of the other online sandboxes/scanner that work with antivirus software companies to generate new signatures. Instead, buy a copy of the antivirus product used by your target organization and test it on your own systems or alternatively if your target is using one of the nine AV products scanned by VirusNoThanks, you could use http://vscan.novirusthanks.org/ or http://nodistribute.com/ and be sure to select “Do no distribute the sample” at the bottom of the page.

I hope you find these techniques useful as you help organizations better understand their security risks and improve their defenses through your penetration testing work!